Skip to content

Commit 6ce2c14

Browse files
liran-funaroliran-funaro
authored
[query] Validate namespace ID (#92)
#### Type of change - Bug fix #### Description - Validate namespace ID to prevent SQL injections #### Related issues - resolves #84 Signed-off-by: Liran Funaro <liran.funaro@gmail.com>
1 parent b5bf6fa commit 6ce2c14

File tree

2 files changed

+21
-0
lines changed

2 files changed

+21
-0
lines changed

service/query/query_service.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,8 +20,10 @@ import (
2020
"github.com/hyperledger/fabric-x-committer/api/protoblocktx"
2121
"github.com/hyperledger/fabric-x-committer/api/protoqueryservice"
2222
"github.com/hyperledger/fabric-x-committer/service/vc"
23+
"github.com/hyperledger/fabric-x-committer/service/verifier/policy"
2324
"github.com/hyperledger/fabric-x-committer/utils/channel"
2425
"github.com/hyperledger/fabric-x-committer/utils/connection"
26+
"github.com/hyperledger/fabric-x-committer/utils/grpcerror"
2527
"github.com/hyperledger/fabric-x-committer/utils/monitoring/promutil"
2628
)
2729

@@ -133,6 +135,14 @@ func (q *Service) GetRows(
133135
ctx context.Context, query *protoqueryservice.Query,
134136
) (*protoqueryservice.Rows, error) {
135137
q.metrics.requests.WithLabelValues(grpcGetRows).Inc()
138+
139+
for _, ns := range query.Namespaces {
140+
err := policy.ValidateNamespaceID(ns.NsId)
141+
if err != nil {
142+
return nil, grpcerror.WrapInvalidArgument(err)
143+
}
144+
}
145+
136146
defer q.requestLatency(grpcGetRows, time.Now())
137147
for _, ns := range query.Namespaces {
138148
promutil.AddToCounter(q.metrics.keysRequested, len(ns.Keys))

service/query/query_service_test.go

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,17 @@ func TestQuery(t *testing.T) {
8181
requireResults(t, requiredItems, ret.Namespaces)
8282
})
8383

84+
t.Run("Query GetRows bad namespace ID", func(t *testing.T) {
85+
t.Parallel()
86+
badQuery, _, _ := makeQuery(requiredItems)
87+
badQuery.Namespaces[0].NsId = "$1"
88+
client := protoqueryservice.NewQueryServiceClient(env.clientConn)
89+
ret, err := client.GetRows(t.Context(), badQuery)
90+
require.Error(t, err)
91+
require.Nil(t, ret)
92+
require.Contains(t, err.Error(), policy.ErrInvalidNamespaceID.Error())
93+
})
94+
8495
t.Run("Query GetRows client with view", func(t *testing.T) {
8596
t.Parallel()
8697
client := protoqueryservice.NewQueryServiceClient(env.clientConn)

0 commit comments

Comments
 (0)